Critical severity9.8NVD Advisory· Published Feb 17, 2017· Updated Jun 17, 2026
CVE-2016-4861
CVE-2016-4861
Description
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zendframework/zendframeworkPackagist | < 1.12.20 | 1.12.20 |
Affected products
5cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
13- framework.zend.com/security/advisory/ZF2016-03nvdExploitTechnical DescriptionVendor AdvisoryWEB
- jvn.jp/en/jp/JVN18926672/index.htmlnvdThird Party AdvisoryVDB EntryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2016-000158nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-xfjq-w3cw-h5fqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4861ghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/06/msg00012.htmlnvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTITghsaWEB
- security.gentoo.org/glsa/201804-10nvdWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2JUKFTI6ABK7ZN7IEAGPCLAHCFANMID2/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N27AV6AL6B4KGEP3VIMIHQ5LFAKF5FTU/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UR5HXNGIUSSIZKMSZYMPBEPZEZTYFTIT/nvd
News mentions
0No linked articles in our index yet.